-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathdefault.conf.template
132 lines (97 loc) · 3.41 KB
/
default.conf.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
upstream jmwalletd_api_backend {
zone upstreams 64K;
server $JAM_JMWALLETD_API_PROXY;
keepalive 16;
}
upstream jmwalletd_ws_backend {
zone upstreams;
server $JAM_JMWALLETD_WEBSOCKET_PROXY;
keepalive 2;
}
upstream obwatch_backend {
zone upstreams;
server $JAM_JMOBWATCH_PROXY;
keepalive 2;
}
map $http_x_jm_authorization $jm_auth_present {
default 0;
"~^Bearer (?:.)+$" 1;
}
server {
listen 80;
listen [::]:80;
server_name _;
access_log /var/log/nginx/access_jam.log;
error_log /var/log/nginx/error_jam.log;
gzip on;
gzip_types application/javascript application/json text/css image/svg+xml;
root /app;
index index.html;
location / {
include /etc/nginx/snippets/proxy-params.conf;
try_files $uri $uri/ /index.html;
add_header Cache-Control no-cache;
}
location /api/ {
include /etc/nginx/snippets/proxy-params.conf;
proxy_http_version 1.1;
proxy_set_header Connection "";
# jmwalletd expects the bearer token in the Authorization header
proxy_set_header Authorization $http_x_jm_authorization;
# do not forward the custom authorization header
proxy_set_header x-jm-authorization "";
# some api requests can take over a minute. play it safe
# and allow 5 min (default is 60 sec). increase on demand.
proxy_read_timeout 300s;
# allow 5 min to connect (default is 60 sec)
proxy_connect_timeout 300s;
proxy_pass https://jmwalletd_api_backend;
}
location = /jmws {
include /etc/nginx/snippets/proxy-params.conf;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Authorization "";
# allow 10m without socket activity (default is 60 sec)
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_pass https://jmwalletd_ws_backend/;
}
location /obwatch/ {
include /etc/nginx/snippets/proxy-params.conf;
proxy_http_version 1.1;
proxy_set_header Connection "";
# allow 5 min (default is 60 sec). increase on demand.
proxy_read_timeout 300s;
# allow 5 min to connect (default is 60 sec)
proxy_connect_timeout 300s;
# must proxy via "http" as ob-watcher does not make use of self-signed cert yet
proxy_pass http://obwatch_backend/;
}
location = /jam/internal/auth {
internal;
# requests to `/session` are valid without auth header.
# it must be ensured that it is present and contains a value.
# ("if" is evil, but using just "return" inside is fine)
if ($jm_auth_present != 1) {
return 401;
}
include /etc/nginx/snippets/proxy-params.conf;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# pass to `/session` which will validate the header
proxy_pass http://$server_addr:$server_port/api/v1/session;
}
location = /jam/api/v0/features {
auth_request /jam/internal/auth;
default_type application/json;
return 200 '{ "features": { "logs": false } }';
}
location /jam/api/v0/log/ {
auth_request /jam/internal/auth;
return 501; # Not Implemented
}
}